METHOD OF DETECTING MALIOOUS SCRIPTS USING CODE INSERTION 

TECHNIQUE 

5 BACKGROUND OF THE INVENTION 

1 . Field of the Invention 

The present invention relates to a method of detecting malicious scripts, and more 
10 particularly, to a technique capable of detecting malicious codes through continuous behavior 
monitoring by using a code insertion technique. 

2. Description of the Related Art 

1 5 Malicious codes are codes that have been created for the purpose of ah abnormal operation 

of a system or its harm behavior and computer viruses, worms, Trojan horses arid the like are 
among them. Malicious scripts are referred to as malicious programs wintten in a script language. 
Most of the malicious scripts discovered up to now are written in Visual Baste Script, mIRC script 
and JavaScript, and some of them are written in PHP script, Corel Draw Script and the like. 
20 A signature-based scanning method is widely used to detect these malicious scriffts as well 

as binary malicious codes. However, since this method can detect only malicious codes from 
which signattires are extracted by a careful pre-analysis, the heuristic scanning, static analysis, 
behavior monitoring technique, etc. are mainly used to detect new^ unknown malicious scripts. 
For easy understanding of the present invention, a technique for detecting conventional imknown. 
25 malicious scripts is discussed below. 

First, the heuristic scanning corresponds to a method of organizing method calls or intrinsic 
function calls frequently used in malicious behavior into a database, scanning object scripts, and 
determining the object scripts as malicious scripts if dangerous calls occur over the predetemiined 
number of times. Although this method exhibits relatively high speed and high detection rates, it 
30 has a severe disadvantage in that a false positive in which legitimate scripts are regarded as 
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malicious codes is considerably high. 

Second, to overcome such a disadvantage, the static analysis method has been proposed for 
accurately detecting malicious behavior by defining not the dangerous niethod 5alls but method 
sequences constmcting the malicious behavior. 
5 FIG. 1 shows an example of a Visual Basic Script code that performs self-replication via 

electronic mail for explaining the concept of the present invention. It can be confirmed from the 
figure that if a pluralit>^ of method calls is to establish any one malicious behavior, a special 
relationship should be necessarily maintained between their parameters and retum values. For 
example, a "Copy" method in the fourth row copies a currently executing script into a file having a 
10 name of "LOVE-LETTER-FOR-YOU.TXT.VBS" and an "AttachmentsAdd" method in the 
seventh row attaches the copied file to a newly created mail object, so that the self-replication via 
mail can be accomplished. However, if a method of checking only the presence of the method 
calls is employed, a code containing any irrelevant method call for creating a script file "A" and 
then attaching a file "B'' to the mail object may also be regarded as a malicious code. Thus, it 
15 results in a high false positive. This static analysis method has been attempted to check whether 
aforementioned file names and all relevant values such as "fso", "c", "oiit"^and "male" as well as 
the presence of method calls match one another in order to overcome a high error rate produced 
from the other methods. 

. In practice, this malicious behavior cannot be defined by only a series of method 
20 sequences, but is composed of a combination of various methods or method sequences. In the 
static analysis technique, therefore, the malicious behavior has been modeled to be composed of a 
combination of unit behaviors each of which is composed of smaller unit behaviors or at least one 
method call, and each unit behavior and a method call sentence have been expressed as a single 
rule. For example, if a pattern of malicious behavior is defined considering only the methods 
25 shown in FIG. 1 , it can be expressed as shown in FIG. 2. That is, FIG. 2 shows an example of a 
definition of self-replication behavior via a mail. As shown in FIG. 2, the rule is classified into a 
matching rule and a relation rule, which are identified by M and R, respectively, con-esponding to 
first alphabets in rule names. A condition of the matching rule is satisfied if a sentence having the 
same pattern as that described in the right side of the FIG. 2 is present, while a condition of the 
30 relation aile is satisfied if a conditional expression in the right side of FIG. 2 is tme. 
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Determination on the presence of malicious behavior through this static analysis has an 
advantage in that extremely low false positive can be guaranteed as compared to a simple detection 
technique in which only the fre^iuency of occurrence of method calls usable for the malicious 
behavior is considered. However, there frequently occurs a case where it cannot be ultimately 
5 anticipated by only source code analysis before the execution of method calls what values do 
relevant parameters or return values have after the execution. Thus, there is a high possibility of 
false negative in which even actual malicious codes may not be detected, hi other words, 
according to this technique, precise detection has been attempted through method call sequences of 
the malicious behavior. However, if even any one of values that can be detemiined only when the 
1 0 method call sequences are executed intervened in the sequences, it cannot be regarded as rnalicious 
behavior even though other conditions are satisfied. Thus, high false negative will be produced. 

Third, the behavior monitoring technique corresponds to a technique for capturing and 
monitoring system calls necessary for the program execution and regarding a relevant program as a 
malicious code when a sequence of system calls that are determined to be malicious behavior 
15 appears. Since this technique performs the detection during the- program" execution, it has an 
advantage in that a precise execution path of the relevant code can be tracked and associated 
dynamic data can also be used. However, this technique has a disadvantage in that behavior 
monitors must be installed for all clients and overhead due to the monitoring for all programs under 
execution is large. More specifically, in electronic mail services where all data entering a specific 
20 domain pass through one server, the technique for coping with the virus can be classifted into a 
server-side technique and a client-side technique according to a physical position of an anti-vinis 
system. Since the server-side anti-viruses intercept malicious codes entering the specific domain at 
a gateway, the technique can be usefully employed in an electronic mail server and the like even in 
actual circumstances where it is hard to completely control all the clients. At this time, additional 
25 techniques for the detection of malicious codes on the server are not present, but it is common to 
use known techniques that are modified a little to be suitable to any operation on the server. 
However, the behavior monitoring technique that is perfonned on the basis of monitoring tools 
installed at each client cannot be employed in the server. Furthermore, even though the technique 
can be employed in virtual environments using the emulation, it still imposed a heavy burden on 
30 the server. Therefore, there is a problem in that it is difficult to use the behavior monitoring 
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technique in reality. 

Due to the problems in the conventional techniques as described above, current server-side 
anti-\drus system loaded on the^ electronic mail server and the like operates on ttie basis of the. 
signature-based scanning and takes a passive action of delaying the diffusion of new unknown 
5 malicious scripts by adding a filtering function or filename change function to the signature-based 
scanning. 

SUMMARY OF THE INVENTION 

10 Accordingly, the present invention is conceived to solve the problems in the prior art. An 

object of the present invention is to provide a method of detecting malicious scripts using code 
insertion technique, in which relevant scripts can detemiine the presence of their own 
maliciousness without any extemal help upon the execution of the scripts, by inserting script codes 
capable of performing the self-detection into original script codes. 

1 5 According to an aspect of the present invention for achieving the object there is provided a 

method of detecting malicious scripts using code insertion technique, cgmprising the step of 
checking values related to each sentence belonging to call sequences by using method call 
sequence detection based on rules including matching rules and relation rules, wherein the 
checking step comprises the steps of inserting a self-detection routine (malicious behavior detection 

20 routine) call sentence before and after a method call sentence of an original script; and detecting the 
malicious codes during execution of the script through a self-detection routine inserted into the 
original script. 

Preferably, the self-detection routine call sentence is composed of sentences for storing 
parameters and return values and calling a detection engine, said sentences being inserted before 

25 and after Jhe method call sentence when the method call sentence matches with contents described 
in the matching mle, and the self-detection routine includes a mle-based detection engine for 
executing the relation rule related to a relevant matching rule when a method corresponding to the 
matching rule is called and detecting the presence of malicious behavior of the method call 
sequence, and methods for causing the parameters and retum values of the method call sentence 

30 satisfying the matching rule to be stored into a buffer usable by the detection engine. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

The above and other objects, features and advantages of the present invention will become 
5 apparent from the following detailed description of a prefened embodiment given in conjunction 
with the accompanying drawings, in which: 

FIG. 1 shows an example of a Visual Basic Script code that performs self-replication via a 

mail; 

FIG. 2 shows an example of a definition of self-replication behavior via a mail; 
10 FIG. 3 is a diagram illustrating a concept of an application transformation system; 

FIG. 4 is a diagram illustrating a concept of the present invention; 

FIG. 5 is a flowchart illustrating a process of detecting malicious scripts according to tlie 
present invention; 

FIG. 6 shows an example of rule description grammar according to the present invention; 
15 FIG. 7 is a diagram illustrating a concept of a self-replication pattern extracted through an 

electronic mail from Visual Basic Script; 

FIG. 8 shows an example of a relation mle definition for detecting the self-replication 
pattern through an electronic mail; 

FIG. 9 shows an example of a method call code with a code insertion technique applied 

20 thereto; and 

FIG. 10 shows an example of the generation of mle instances made through malicious 
behavior detection routine during the execution of scripts. 



DETAILED DESCRIPTION OF THE INVENTION 

25 

Hereinafter, the present invention will be described in detail with reference to the 
accompanying drawings. 

An application transformation technique that is modified and employed to implement the 
present invention will be first explained. The application transfomiation technique suggested for 
30 code safety corresponds to a technique for converting a relevant code into a form on which a 
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predefined policy can be enforced, when a code unreliable in its safety during the execution thereof 
is given. Therefore, when a transformed code is executed, an original operation is performed after 
it is checked whether system resources, \N=hich can be accessed by API calls wheriever each API is 
called, are allowed. ^, 
5 FIG. 3 is a diagram illustrating a concept of an' application transformation system. 

Referring to this figure, an entire system is generally composed of a policy generator and an 
application transfomier. The policy generator operates when the system is initialfy installed or 
security policy is changed. At this time, a safety policy including abstract descriptions on system 
resources and limitations on resource handling, and infonnation on API libraries of a relevant 
10 platform and their resource use details are input in the policy generator. Therefore, when a platfonn 
library with codes necessar\- for policy enforcement inserted therein and a policy description file 
with an actual code correction guide described therein are generated, a preparatory work for the 
application transformation will be completed. If an object code is given, the application 
transfomier replaces a specific API call of a relevant code with a call for a modified platfomi 
1 5 . library with reference to the policy description file so that the predefined policy can be applied upon 
the execution of the object code. This application transformation technique can be usefiilly 
employed in access control enforcement for a mobile code having a similar form as a source 
program such as a source code or P-code. However, the technique canilot detect a pattem of 
malicious behavior, since it dose not consider a relation between respective fimction calls but 

^ ■ ■ ■ * 

20 detemiines only whether the execution of the specific API can be allowed. 

FIG. 4 is a diagram illustrating a concept of the present invention, hi this figure, it is 
illustrated a technique for detecting malicious codes upon execution thereof by inserting a detection 
routine into a script source using the application transfomiation technique while employing a mle- 
based method call sequence detection metiiod such as a static analysis technique. Refening to this 

25 figure, a self-detection routine generator 10 generates a self-detection routine (malicious behavior 
detection routine) capable of detecting malicious behavior based on detection rules 4 including 
matching mles and relation rules. A script transfomier 20 transforms an original script 2 including 
metiiod call sentences into a script 6 capable of continuously perfomiing tiie self-detection during 
tiie execution tiirough tiie metiiod call sequence based on the detection rules 4 and tiie self- 

30 detection routine generated in tiie self-detection routine generator 1 0. That is, a script entering from 
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the outside or suspected of its maliciousness is transformed so. \that it can be self-detected 
continuously at a predetermined time before the execution. At this time, the script transformer 20 
does not modify a sentence itself described in the original script 2 but merely causes additional . 
codes to be inserted into the script. 
5 Now referring to FIG. 5, a process of detecting malicious scripts by employing the method 

call sequence detection method based on niles including the matching and relation rules, as 
. illustrated in FIG. 4, and by checking the values related to each sentence belongihg to the call 
sequences. First, a self-detection routine call sentence is inserted before and after a method call 
sentence of the original script (S510). Therefore, when the original script is executed, the malicious 
! 0 codes can be detected through a self-detection routine inserted into the original script (S520). 

Next, codes to be inserted into a script will be discussed. A first kind of the codes corresponds to 
sentences that take parameters and return values and call the self-detection routine, and the 
sentences are inserted before and after the method call sentence of the original script 2. That is, the 
sentences are described as "put parameter to buffer", "put return value to buffer", and "run Self- 
15 Detection Routine" in the transfomied scripts 6 of FIG. 4, and actually have the same structvire as 
shown in FIG. 9. these sentences are not inserted into all the method call s;entences, and they are 
inserted only before and after the method call sentences exhibiting a pattem corresponding to that 
described in the matching rule. At this time, the script transformer 20 takes necessar>' values 
through proper analysis of the matching mle and inserts codes for calling the self-detection routine. 
20 This is because the number of parameters to be taken varies according to the methods and the 
metliod calls v/ith no return value are also present. 

A second kind of the codes is the self-detection routine. This routine is independent of 
contents of a script and varies only according to rules that define malicious behavior. In other 
words, since this routine is not modified so long as the definition of malicious behavior is not 
25 modified, it can be generated in advance by the self-detection routine generator 10 and is 
configured to comprise a rule-based detection engine and buffer handling methods. Since the 
detection engine is perfonned only when the methods corresponding to the matching rule are 
called, it ftinctions to execute all the relation rules related to a relevant matching rule and check 
whether method call sequences up to now establish the malicious behavior. The buffer handling 
30 methods correspond to methods for causing the parameters and retum values of the method call 
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sentences satisfying the matching rule to be stored into a buffer usable by the detection engine. 

This detection technique is not limited to a specific script language but can allow the same 
algorithm to be applied to a plurality of script languages by differently defining only a §et of mles 
being currently used. Particularly, in Microsoft Windbws, a plurality of languages such as Visual 
5 Basic Script and JavaScript are executed through the same windows scripting host and utilize the 
same run-time object and environment. Therefore, the sets of mles for use in different languages 
• can be defined by changing only the matching rules according to each script grammar. 

Now, for easy understandmg of the present invention, points of view to be considered for 
implementing the aforementioned code insertion technique and the implementation thereof will be 
10 explained. First, it is preferred that rules for use in tlie definition of malicious behavior are changed 
into rules that is similar to but more simple and consistent than that of the conventional code static 
analysis techniques. FIG. 6 shows an example of rule description grammar according to the 
present invention. Referring to FIG. 6, one rule description file is composed of a plurality of rule 
definitions, and each mle is composed of a aile ID (mlejdentifier) and a mle body (rule__body). A 
15 format of the mle body depends on the matching and relation mles. The matching mle takes the 
format of a general script sentence and fi.irther includes a mle variable .,(variable_string). hi 
addition, the relation mle is composed of a condition phrase (condition_phrase) and action phrase 
(action_phrase) and executes the content in the action phrase when the conditions of the condition 
plirase are satisfied. The condition phrase is composed of one or more condition expressions, each 
20 of which is described to check whether a specific mle has been already "satisfied, specific variable 
values of two mles are equal to each other, or one of the specific variable values is included in the 
other value. 

By the way, the conventional mle techniques was complicated primarily because they do 
not support logical operators such as AND and OR. That is, assuming that each of A, B and C is a 
25 single condition expression (condition_expr), a condition "(A AND B) OR C" should be described 
as follows: 

Rl: cond A 
R2: precond A 
condB 

30 action Sglobal = tme 
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R3:condC 

action Sglobal = tijie 

That is, the condition must be described in such a manner that a condition connected by 
AND is separated into a plurality of rules each of which is described in a pre-satisfied condition 

5 phrase (pre-condition phrase) and a portion processed by OR is described to change a global 
variable initialized as 'Talse" to 'true" when each condition expression is satisfied. Since it makes 
the Rile techniques and subsequent decryption difficult, it should be modify so that a mle technique 
can be simple and coincident with logic of malicious behavior as a whole by allowing the logical 
operators to be directly used in the condition expression instead of using the global variable. 

10 In the meantime, actual rule definition can be obtained through empirical analysis of 

conventional malicious codes. As it has been theoretically proved, there is no set of heuristic mles 
capable of accurately detecting all possible malicious behaviors and the set of rules should be 
continuously updated whenever new malicious codes or behavior patterns appear. Noting that the 
malicious codes can be clearly differentiated fi-om legitimate programs according to whether they 

15 can perform the self-replication, the self-replication behavior patterns of -the malicious scripts 
known up to now can be summarized as listed in Table 1 . 



Table 1 



Classification 


Contents > 


Self-replication in local system 


Make a malicious script's own replica in an object system. 

Speaking strictly, the self-replication can be classified into 
a case where non-existing new replicas are created and a 
case where contents of a script file existing in the object 
system are replaced with malicious script's own contents 


Self-replication via electronic mail 


Send an electronic mail with a malicious script attached 
thereto to an account listed in an address list 


Self-replication via IRC 


Modify an initialized script of an ERC client such as mIRC 
and allow a malicious script itself to be sent when chatting 
partner is connected 


Self-replication via share folders 


Search network share folders and copy a malicious script 



20 

Since each malicious behavior listed in Table 1 is defined as one or more unit behaviors or 
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method call patterns and each unit behavior is again defined as one. or more sub-unit behavior or 
method call sub-pattern, a specific malicious behavior can be expressed in the form of a tree where 
one rule is represented as one node. Therefore, completed- rules can be obtained by. analyzing a 
plurality of known malicious scripts, arranging code patterns for performing the self-replication in 

5 the form of a tree, and then describing the code patterns in a defined grammar. 

For example, a tree structure shown in FIG. 7 can be obtained by extracting a variety of 
. self-replication patterns using an electronic mail from known Visual Basic malicious scripts and 
arranging the extracted patterns into a single tree. Since terminal nodes in the tiee stRicture shown 
in FIG. 7 can be used as the matching rules without any modification, relation rules shovm in FIG. 

10 8 can be obtained by expressing the tree structure according to the defined grammar in 
consideration of the meanings of intermediate nodes. 

Symbol used in the matching rules of the rule descriptions shown in FIG. 7 mean 
wildcards that can match with any kinds of tokens. In addition, the relation rules for checking only 
the presence of rules in the condition phrases operate by recognizing the right side of the action 

15 phrase as rule variables of rules satisfying the conditions even though additional rule IDs are not 
described in the right side of the action phrase. For example, in the case of R4, the action phrase is 
interpreted as "$1 = M2.$r' if tlie condition expression is satisfied because a mle of M2 is satisfied, 
and the action phrase is interpreted as ''SI = R6.$r' if the condition expression is satisfied because 
a rule of R6 is satisfied. Therefore, the mle descriptions can be simplified. 

20 According to these rule descriptions, behavior patterns written in not only the Visual Basic 

Script but also other script languages can be detected in the same way. Actually, if only a first 
token "Sef ' of R3, R5, R8 and R9 in the matching mles shown in FIG. 7 is removed, the self- 
replication behavior via a mail can be detected in the JavaScript environment. Contrary to the 
Visual Basic Script in which a sentence "Set"' should be necessarily used for the assignment of 

25 objects, the JavaScript can perfonn this object assignment in the form of a general assignment 
statement. Thus, the same detection operation can be performed without any modifications of the 
relation rules, if a difference in the above grammar is merely considered. 

Now, a process of inserting script codes will be described in detail. If an object script is 
given, codes for causing parameters and return values to be stored in the buffer and calling 

30 fiinctions for inspecting malicious behavior should be inserted into the object script before and after 
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calling the methods belonging to method sequences constituting malicious beha\dor. This process 
is accomplished by the script, transfomier. Method call codes after the code insertion are modified 
as shown in FIG. 9^ "FSO.GetFlLE" in the second row of FIG. 9 is a method to be checked and 
first and third rows are codes that are inserted to check the operation of this method. A "RuleB^e" 

5 object is an object for providing rule definitions and relevant malicious behavior detection routines, 
and it is implemented in such a manner that this object is appended to an end of modified codes 
after the code insertion has been made. The code of this object is generated by the self-detection 
routine generator, which will be described in detail later. 

Only methods "SetVal" and "Check" shown in FIG. 9 are used to check the method calls. 

10 The method "SetVal" assigns a set value to a given location of a buffer arranged in an array, and 
the method "Check" functions as a detection engine for perform a check according to rules with 
reference to contents of the buffer. At this time, since the buffer is arranged in an array to store a 
plurality of values therein, all the parameters and retum values of the matching mle as well as a 
name of a relevant matching aile are stored in a single array. According to many script languages 

15 such as Visual Basic Script or JavaScript, the same operation can be perfoniied by only an array 
without use of an additional separate structure since any types in general programniing languages 
can be put into a single variable without any limitation. The meanings of data stored in respective 
locations of the array of the buffer are defmed as Table 2 below. 



20 Table! 



Location of array 


Meaning 


Remark 


0 


Name of coincident matching aile 


Character string 


1 


Retum value 


Not name but values during 


execution are stored 


2 


Object for providing called methods 




Over3 


Parameters 





The operation of the script transformer is summarized as follows. First, the matching rules 
are loaded fi-om the rule description file. Second, sentences for initializing the malicious behavior 
25 detection routines are output (RuleBase object initialization method call). Third, the following 
operation is performed for all the sentences in a given script. That is, if one read sentence is 
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coincident with the matching rules, the parameters and return values are stored before and after the 
read sentence and the read sentence is then output together with a self-detection routine call 
sentence. However, if the read sentence is not coincident with the matching rules,^it is output as it 
is. Fourth, a malicious behavior detection routine code (RuleBase class code) obtained from ^ the 
5 self-detection routine generator is added to each read sentence. 

Next, a process of adding the malicious behavior detection routine will be described in 
. detail Malicious behavior detection related routines for inserting method call inforniation into a 
buffer and performing the malicious behavior detection can be combined into one class, i.e. the 
aforementioned RuleBase class. Public methods provided by this class are listed in Table 3 below. 

10 

Table 3 



Method 


Content 


Init 


Class initialization 


SetVal(pos, value) 


Assign a value of 'value' to pos-th of buffer. 


Check 


Check the presence or absence of malicious 
behavior 



When the code insertion is performed, values required for the check are .stored in the buffer 
15 using the "SetVal" method and a code for calling the "Check" method is inserted before and after 
the metiiod call sentence of the format described in the matching rules. Actually. die.^"Check'" 
method finds which matching mle called the "Check" method itself with reference to only contents 
of the buffer and ftinctions only as an entry point (or gateway) for calling the method in which the 
relevant matching rule has been implemented. In other word, each rule is represented as one 
20 private method belonging to a malicious behavior detection class and the self-detection routine 
generator automatically generates each method with reference to the rule definitions. 

At this time, the contents of the method in which each rule has been implemented ai e 
different in case of the matching and relation mles. Since the matching rule is performed only 
when a relevant sentence is matched with a given format, one rule instance is generated to record 
25 that the matching for a relevant mle occurs unconditionally, and higher-level rules are then 
checked. The mle instance corresponds, to a data stmcture including information on die relevant 
rule and is generated when a given condition is satisfied. Since the information stored in tlie 
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matching rule instances includes the values of matching mle variables such as $1 and $2, the 
instances can be generated by merely assigning the values stored in the buffer to proper locations of 
. the generated instances. ^ • 

The operation of the relation rule is basically the same as that of the matching rule, except 

5 that the relation rule always first checks condition expressions, and generates instances of a relevant 
rule and then checks higher-level rules only when the condition expressions are satisfied. Here, the 
satisfaction of the condition expressions means that there exist rule instances satisfying a relevant 
condition expression. In addition, the higher-level rules are referred to as rules with a relevant rule 
included in their own condition expressions and correspond to rules located at parent nodes of the 

10 relevant rule when the rules are represented in the form of a tree structure shown in FIG. 7. Thus, 
the higher-level rules can be determined prior to the execution through analysis of the rule 
definitions. 

The operation of the self-detection routine generator is summarized as follows. First, the 
matching and relation rules are loaded. Second, the loaded rules are analyzed and the higher-level 

15 rules of each of the loaded rules are then recorded. That is, one mle Rc is selected for all relation 
mles, a set S of rules appearing in a condition expression of the selected rule is obtained, and a mle 
Rc is then recorded as a higher-level rule for all mles belonging to the set S. Third, corresponding 
methods are generated for all the matching mles. At this time, the contents 'of the methods are as 
follows. That is, new aile instances are generated with reference to the contents of the buffer and a 

20 method corresponding to the higher-level mle is called. Fourth, corresponding methods are 
generated for all the relation ailes. At diis time, the contents of the methods are as follows. That is, 
a mle body portion is parsed and transformed in accordance with a script grammar, and a method 
corresponding to a higher-level mle is called. 

FIG. 10 shows an example of the generation of rule instances made through malicious 

25 behavior detection routine during the execution of scripts. Referring to this figure, the mle 
instances in the right side of the figure are generated whenever each row of the script in the left side 
is executed. Fields appended after names of respective mle instances mean values of mle variables 
described as $1 and $2 in the relevant rule definition. 

According to a method of detecting malicious scripts using a code insertion technique as 

30 described above, since a detection routine is configured to operate during the execution of scripts. 



13 



dynamically determined parameters and return values can be checked, and thus, detection accuracy 
can be improved. Further, since codes are inserted into only the scripts entering from the outside, 
unnecessary overhead is not gdnerated. Furthermore, since the modified codes j)erform the self- 
detection even in systems in which additional anti-viriises are not installed, there is an advantage in 

5 that the propagation of malicious scripts can be suppressed. Moreover, since a set of ailes used can 
be set in a various manner without any limitation to a specific script language, the detection method 
can be applied to a plurality of script languages without any limitation. 

Although the present invention has been described in detail in connection with the 
preferred embodiment of the present invention, it will be apparent to those skilled in the art that 

10 various changes and modifications can be made thereto without departing from the spirit and scope 
of the invention. Thus, simple modifications to the embodiment of the present invention fall within 
the scope of the present invention. 
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